This is a summary of an article written for IndustryWeek, entitled “A Cybersecurity Mountain to Climb: Getting IT and OT Tools to Talk to Each Other,” written by Rick Peters, Fortinet’s Operational Technology Global Enablement Director
Introducing digital innovation designed for IT networks into an OT environment can enable things like on-demand manufacturing, just-in-time inventory, remote monitoring, and process orchestration, which in turn leads to increased efficiencies, productivity, and profitability. However, critical data and highly sensitive OT resources need to be carefully protected while these two very different networks converge.
IT and OT Are Very Different
OT and IT networks were originally isolated from each other for good reason. For example, OT systems and processes cannot withstand latency. Highly sensitive equipment monitoring a thermostat on a boiler filled with thousands of gallons of caustic chemicals, or managing a complex, highly automated manufacturing floor depends on real-time information and response. They simply can’t afford the kinds of delays or downtime that typically occur in an IT network.
OT devices are also, on average, older and more sensitive. Some may remain in place, running the same application and operating system without a single update or patch, for decades. Which means that many of these devices are highly vulnerable to older exploits. Until now, their primary defense has been the decision to air-gap them from public-facing IT network.
OT Doesn’t Speak IT
IT and OT teams also have entirely different priorities in terms of defining and balancing risk. IT, for example, uses the CIA model – confidentiality, integrity, and availability – to prioritize the protection of data. This allows systems to be regularly taken offline for patching and updating, and slowing down so it can be appropriately encrypted and inspected is a reasonable tradeoff.
OT managers turn the CIA model on its head. Availability of systems and the safety of workers and citizens are the highest priorities of OT. Process integrity runs a close second to safety to ensure that systems perform as expected. And confidentiality, which is the number one priority for IT, comes in as a distant third in favor of safe and continuous OT operations.
Shutting down a manufacturing floor for a system or security upgrade is simply not even on the table. Massive energy turbines, manufacturing furnaces, chemical production, or energy transmission systems can’t tolerate disruption for even a few seconds, as the consequences can be severe – and even life-threatening.
Therefore, integrating IT systems into an OT environment needs to be done carefully. Exposing OT systems to botnets, malware, and other exploits, even if the addition of IT systems means significant improvements in efficiencies and profitability, still runs counter to the primary objectives of any OT leader.
Any integration strategy needs to start with a careful analysis and inventory of all devices, systems, and workflows in place. This can be followed by the strategic integration of essential security solutions designed to provide following:
- Dynamic segmentation and microsegmentation of devices and processes
- Support for OT-specific protocols and devices
- Consistent enforcement
- Centralized management
Segmentation and Zero Trust
The first step in many OT networks is to implement segmentation and zero-trust access to ensure that newly connected IoT devices are isolated from sensitive OT devices and that management and communications protocols are isolated from device and user interfaces. However, without a carefully orchestrated strategy that recognizes the uniqueness and fragility of the OT infrastructure, enforcing zero trust could substantially disrupt or disable systems as much as it provides protection.
To address this challenge, this approach needs to be “combined with an integrated security fabric that recognizes the distinct processes and priorities that govern an OT environment. An ability to safely recognize, consume and correlate threat data; communicate directly with a central management and orchestration system; and then enforce the appropriate security policy in the proper place without putting delicate OT systems and devices at risk is the absolute imperative.” – Rick Peters, “A Cybersecurity Mountain to Climb: Getting IT and OT Tools to Talk to Each Other“
Increasing Profitability Without Increasing Risk
By carefully addressing the concerns and priorities of your OT environment, convergence can help your organization realize the potential of digital innovation without putting personnel and critical OT resources at risk.
Learn how Fortinet can help you extend security from the data center, to the cloud, and to the network perimeter in even the toughest of ICS/SCADA environments.